The UK’s “other” big experiment: Regulating online platforms?
VoxEU Blog/Review Competition Policy

The UK’s “other” big experiment: Regulating online platforms?

Cristina Caffarra interprets the new report from the UK's Competition & Markets Authority which articulates – for the first time anywhere – what the regulation of Google and Facebook might actually look like.

The UK is about to embark on a major natural experiment. No, not Brexit: ex ante regulation of dominant online platforms. 

The Competition & Markets Authority’s Interim Report on Online Platforms and Digital Advertising, published just before Christmas, is a clever and impressive document with new evidence and analyses amassed over a brief period. It also needs to be understood in context. The CMA was under pressure for some time – from privacy advocates, commentators and opinion makers, as well as the publishing industry – to “do something” about dominant digital platforms. With Germany pursuing high-profile actions against Facebook, and France with enforcement cases against both Google and Facebook, there had been some clamour in the UK for the CMA to open a Market Investigation into some market important to these platforms. A “Market Investigation” is a powerful tool in the CMA’s box, used sparingly in the past (e.g. retail banking), but favoured by many because it gives the CMA latitude to explore all reasons why markets “do not to function well” (beyond specific competition law violations) and carries unusually broad powers of interventions, including breakups. Given the importance of digital advertising in terms of revenues and its relevance to multiple businesses, the “ad tech stack” (and related markets that feed into it) seemed a natural place to look.

The CMA had been reluctant, however, to embark in an open-ended multiyear investigation without a clear exit strategy. The Furman Report, and the government’s statement that it would actually implement the Furman recommendation of a “Digital Market Unit” in 2020, provided a path out. A Market Study is not a binding commitment to do anything specific. Indeed, the Interim Report (“IR”) anticipates already that its final output in June 2020 is not going to be a Market Investigation Reference, but a series of “recommendations” to government for the yet-to-be-established Digital Market Unit (“DMU”) to carry out.  In effect, while the locus and composition of the DMU are still to be determined, the CMA has diagnosed the problems and set out a broad and comprehensive agenda, but passed the ball entirely to a newly founded industry regulator to get it done.

There is next to no time spent in the IR on the CMA’s own ex-post competition enforcement plans. The CMA positions itself as setting out the principles and workplan for an ex ante regulatory regimeto apply to digital platforms in the UK. It does acknowledge in passing that ex ante regulation is a “complement” to ex post enforcement, but the focus is all on regulation and the prevailing sentiment is that as most of the problems it identifies fall short of competition violations, i.e. we need a different – regulatory – tool. 

The IR’s recommendations fall into two broad categories. One is the much-vaunted idea of a “code of conduct” for platforms to adhere to (a fashionable idea mentioned in a broad range of recent international analyses of digital platforms). Then there are various “interventions” identified as potential ways of dealing with specific problems – ranging from “how to”-type measures to “cease and desist”-type actions and finally “separation” for situations where there appears to be the most egregious conflicts of interest.  Both are to be pursued by the DMU/regulator, with the CMA’s role as yet unclear (the scope and location of the DMU having yet to be decided). But the CMA is setting the agenda and the workplan. 

So, what does this all mean? 

The UK is in effect forgoing antitrust enforcement in favour of a big experiment in regulation

So here it is: the UK is taking the plunge in favour of regulation, and setting up a whole new regulatory infrastructure for digital giants, in preference to competition enforcement through ordinary competition rules.  The view that “competition cannot deal with all of this” and “we need a specialist regulator” because of the limitations of competition rules has been around for some time. And indeed, there are fundamental issues that are hard to grapple with through competition enforcement – from consumer data rights, including privacy issues and compensation for consumers’ data performance, to concerns about incentive problems supporting disinformation. Much less of an issue should be other oft-repeated limitations of competition enforcement: the need to fit into precedent boxes, the time it all takes, the failure of remedies – these are all fixable if we try.  And indeed other main players are so far sticking to competition law albeit with powered up tools: Germany has a draft reform competition law bill in the works which will give special status to companies with digital market power, and empower the FCO to act quickly with injunction-like powers against these companies over multiple practices listed in an extensive catalogue of infringements; France’s AdlC is working closely with its privacy and communication agencies but still working off its antitrust powers, with enhanced use of injunctions and interim measures.  

The UK is first in Europe to set off on an explicit regulatory experiment and articulate a detailed agenda.  The philosophy is that for many of the conducts that we worry about (as identified in the IR), a set of ex ante rules about what’s acceptable and what’s not is going to be a more direct and efficient solution than pursuing antitrust actions. And for the entire topic of consumer-facing issues – terms of engagement on data collection and use, privacy settings, etc. – I would agree this has to be the way to go. For intricate technical issues such as data mobility/interoperability and the interface with privacy concerns, a regulator with technical expertise is also obviously preferable. 

But when it comes to concerns around conduct to preserve market power, extend it, or exploit businesses that rely on its home market for key inputs (such as traffic or visibility or exposure), we have the antitrust tools, and we need to deploy them. It would be disappointing if we defaulted to an ex ante regulatory solution out of a notion that competition tools are ossified and incapable of being usefully flexed and updated to current circumstances. Competition enforcement can be used imaginatively and coherently if we recognise that the fundamental concerns around the exercise of market power (exclusion, foreclosure, and exploitation) can be formulated appropriately in a world of network effects, data advantages and economies of scale and scope. Nothing concentrates business minds like the opening of formal competition investigations, with the potential for interim measures, injunctions, extensive information requests and the reputational effects that are associated with a live case.  If we are placing a regulator in charge, it needs to be able to bring strong enforcement actions or refer them to the competition agency. This is all to be played for, but it’s going to be key to the design of the scope and powers of the DMU. 

In practice this will mean company-specific regulation

We typically think of an “industry regulator” as an agency presiding over a bunch of companies with similar technologies and business models – Ofcom, Ofwat, Ofrail, Ofgem, financial regulators, grocery adjudicator, etc.  And we think that one of the benefits of being a sectoral regulator is being able to deploy sectoral knowledge across multiple targets with commonalities – through “industry-wide rules” and codes of conduct. 

Here, while ostensibly about “digital giants”, the IR is focusing the DMU in effect on ad-fundedbusinesses: only Google and Facebook are really in the firing line. This makes sense because it recognises that business models drive incentives very directly, and the deepest concerns we have at this point in this space are mostly about the way in which ad funding provides incentives to extract data from consumers, exploit them in ways that are not transparent, adopt conduct to leverage power in multiple domains and preserve their advantages over others by limiting and foreclosing their ability to collect or use data or tying services together.1 Other digital platforms operating different business models barely get a mention in the IR (Amazon in passing, to the extent that it is increasingly using display advertising, but is also recognised as “different” because ads are limited to vendors; Microsoft only gets in at all as a challenger to Google in search, and Apple is nowhere).   

So, really this is only (for now) about Google and Facebook. And more than that: because only one of them is clearly dominant in each of the markets that are deemed problematic (Google in search advertising and open display advertising, Facebook in display advertising), and the concerns about their conduct in these markets are distinct, the “sectoral” regulator will be in practice a Google-regulator and a Facebook regulator. There are still going to be benefits in terms of the regulator having familiarity with some common industry features, but there should be no mistake – this is going to be mostly firm-specific regulation

Will a “code of conduct” actually work? 

The specificities of each business are also relevant to the feasibility and scope of the IR’s first main proposal: for a “code of conduct” that the DMU would develop and enforce.  The suggestion of a “code of conduct” (to apply to digital firms designated with “Strategic Market Status” (SMS) was in the Furman Report and has been bandied about quite a bit in the last year as a novel approach to policing digital giants and ensuring acceptable standards of conduct.  What has made it so popular in policy circles is also a sentiment that it picks up a suggestion by Nobel prize winner Jean Tirole for a more “collaborative” and “participative” antitrust (an idea he expressed in an interview to Quartz last summer, though has not written up more formally).  While Tirole has never really made this concrete, his “oracle/guru” status has meant it has gained traction as an exhortation that given the complexities of the digital sector, what’s needed instead of enforcement is to cajole and coordinate the input and interests of multiple stakeholders, platforms and businesses relying on them, internet giants and their “dependants”, to arrive at some form of consensus on what’s acceptable conduct and what isn’t. The IR is not yet discussing how the “code of conduct” would be in fact decided, but the notion of some “cooperation” in defining the rules is popular out there because of the implicit assumption that rules arrived at through this process – with some extended debate and engagement by the firms which are going to be subjected to them – are more likely to be adhered to and to work. 

Concerns around this general model to me are twofold. First, that because the digital businesses we worry about are so inherently different – even if one looks just at Google and Facebook – a code of conduct needs to be specific and cannot be of general application. What common rules would apply to both Google and Facebook? And if they are too general and broad, how can they bite? Second, and most importantly, there is a clear risk that the process for arriving at this code will become a protracted consensus-seeking iteration between sides, ultimately seeking buy-in from the firm to which it is to apply. Google has suddenly expressed great favour for this idea on the conference circuit – and, as such, we should be suspicious. How is this going to avoid regulatory capture, delay tactics, and procrastination?  The IR just says the regulator will have the “power to set binding rules” but says nothing at this stage about how they will be arrived at.

So the formulation of a meaningful “code” is going to be tricky. The IR recognises it will most likely take the form of “principles that would define behaviour”, plus some guidance as to how they would apply. Three general principles are suggested: “Fair trading” (to apply to dealings between dominant platforms and businesses operating on them, and to the relationship with consumers on data and use of services); “Open Choices” (to remove conditionalities in the availability of services, e.g. tying and bundling, restrictions of interoperability); and “Trust and Transparency” (to mandate that more information on terms and modi operandi is given to both businesses and consumers dealing with the platform).  The IR then attempts to give “examples” for how these very general principles could be applied. For instance, under “Fair Trading” there is a suggestion that price and non-price terms set to customers should be “objectively justified”, that consumer consents to data use and choices would be “designed fairly”, and that “no unreasonable restrictions” should be placed on customers to use the services of rivals. Under “Open Choices”, the examples include a prohibition of tying and of bundled discounts.  

This is ambitious and sweeping – indeed, the IR states the objective is to “govern and change the behaviour of platforms with SMS”.  It clearly goes even beyond what competition policy allows us to do – we don’t require firms (even when dominant) to always show their price/non-price terms are “objectively justified” (it’s a long-standing view that this is a pretty meaningless benchmark); nor do we prohibit all forms of bundle discounts unless they are exclusionary.  Because we have indulged the notion of “type 1 errors” far too much and got ourselves in an underenforcement quagmire, I have sympathy with the position that in this sector one might want to set the bar higher and indeed not take too much time with effects-based analyses. But to articulate what’s “fair” in general, what’s open “enough”, and what’s transparent “enough” will be a major undertaking on which no one will agree. It is laudable, but in order to work it seems to me one would need (at a minimum) to (a) define very clearly a timetable for these principles and examples to be established; (b) provide a clear statement that we know this goes beyond standard competition law benchmarks, but so be it because we are trying to overcome what we (the CMA/regulator) believe are limitations of competition law, and (c) no consensus-seeking approach to articulate the code, which would delay its coming into force by years.  Like competition enforcement, regulation should not be friendly and cosy. 

The “interventions” 

The second main strand of the recommendations expected to flow from the CMA Market Study are prospective “interventions” to deal with the identified problems. These tend to be measures to deal with barriers to entry and expansion in multiple forms, including those erected by conduct. They are set out distinctly from the “code of conduct” presumably on the basis that they involve more complex interference and/or intrusion into the core business – although as mentioned, it is not clear that the general principles of the code of conduct would be any less intrusive when articulated in practice. The “interventions” also extend to separation measures in the case of the digital adtech, where the CMA identifies the most troubling conflicts of interest arising from Google’s integration and presence on both sides of the intermediation.  

The IR sets out “examples” of interventions for each of the markets where issues are found. For “general search”, the “interventions” are intended to give a chance to other engines by (a) reducing Google’s ability to secure default positions for Chrome and/or Search on mobile devices (in effect the CMA gives here a synopsis of the EC case and remedy saga in Android); and (b) improving others’ search performance through various potential means of accessing Google’s search queries and click data via periodic data feeds (a Microsoft proposal); as well as potentially providing competing search engines with search results from Google through syndication agreements.  For “social media” (i.e. Facebook), the “interventions” concern potentially various forms of mandated “interoperability” – from broad platform-level interoperability to more selective interoperability over different functionalities. These could be complemented with measures to “improve personal data mobility” on the consumer side, to facilitate switching and multihoming (and therefore competition) – including measures to “put users in control of their data”: concretely, enabling sharing of consumer data held by large platforms with third parties (e.g. publishers or financial institutions). There is emphasis, however, on the practicability of these solutions and the potential for creating new concerns. 

So far so (very) good, though not very novel. The ideas were mostly or all in the Furman Report, the IR now puts forward analyses and evidence to back it all up. The hard questions for the next round (and the DMU) are implementability and privacy implications.

The most far-reaching potential set of “interventions” deals with concerns identified in relation to Google’s position in the adtech stack. Here the IR is very explicit about the “conflict of interest between Google’s role on the buy and sell sides of the open display market”, which combines with “Google’s ability to exploit a lack of transparency in costs and fees” and the potential for leveraging market power and foreclose rivals in intermediation.  A number of potential “interventions” are foreseen, for example to create greater transparency on fees and terms for both advertisers and publishers – expanding on the list of measures under “Transparency and Trust” in the code of conduct (and taking in further dubious practices like the double auction that exploits complete lack of transparency to extract rents).  But the centrepiece (and in truth, something the CMA could not leave out in the face of popular demand) are separation interventions (to various degrees of finality and depth) between portions of the vertical stack. 

The CMA’s assessment is that Google’s presence on multiple sides of the market and incentive/ability to leverage may not be addressed short of severing certain links in the vertical chain. The specific “interventions” considered include most prominently hiving off (or introducing measures to independently operate) Google’s publisher ad server and ad exchange, Google Ad Manager, from the rest of the vertical stack.2 This is the (partial) “undoing of the DoubleClick merger” which is often mentioned as a “natural” remedy to reverse the 2008 integration of DoubleClick into Google – which has come to be regarded as a major pillar on which the current dominance is built (because it has enabled inter alia the tying and bundling of multiple functions, self-preferencing and restricting access to certain ad inventory to others, and creating preferential channels for access to data). An additional “separation” measure proposed is the separation of the DSP and SSP functions for all intermediaries (not just Google). Further, there is also a proposal to deal with Google’s (and in fact Facebook’s) data advantage through some form of separation of Google’s advertising business from certain its data/analytics business. For each case, the IR lists the standard options of “full ownership separation”, “operational separation”, “functional separation” or “accounting separation”, and goes through the usual cautions about loss of benefits of integration to be weighed carefully in the mix. Finally, and in addition to these, the IR recognises the importance of access to inventory for entrants and rivals, and considers an intervention also to open up to third parties the ability to sell YouTube’s advertising inventory, instead of having to use only Google’s own DSP to access it.  

The CMA are signalling they would be prepared to support these intrusive measures, but also that it is hard for the UK to “go it alone” and realistically some form of international coordinated effort would be necessary for these to be credibly pursued. 

Overall message? 

The IR is a comprehensive and impressive document – the CMA gives a tour d’horizon of the issues with ad-based platforms, supported by significant original work and research carried out over a compressed period of time (just six months). It is remarkable for setting out a broad set of ambitious proposals, on which it is consulting and which will be no doubt whittled down and finessed in the Final Report. 

Three final comments.

Can they make any of this happen? Every single one of Google’s and Facebook’s responses and contributions to the Study, as reported in the IR, appear weak and highly predictable: need to be very careful, unintended consequences, undermining innovation, etc. In other words, the usual pap. There will be massive resistance and procrastination and the DMU will need coercive powers (notconsensus-seeking) to induce them to recognise – let alone subject themselves to – the code of conduct, and competition law-type powers for the investigations required to underpin any intervention. This is going to be a challenge in uncharted regulatory waters, for a regulator yet to be established and whose powers are not yet set. The IR talks about all this requiring primary legislation, so timing will not be short.  There is also a clear appeal to other global agencies to align on interventions that would not be likely to get anywhere if pursued in the UK alone.  

Will it work? No single set of interventions in an individual market will address the market power and privacy violations we worry about. There is need for ranking and prioritising of all interventions. Do we think that separating Ad Manager would deliver results and lessen the market power overall? Of course not. It would help deal with the publisher/advertiser problem, for sure, but it is not going to be a global solution. Addressing data collection practices and data advantages, as well as forcing interoperability in multiple dimensions, seem a most immediate priority.  Prohibiting conduct that amounts to tying, bundling and self-preferencing is going to generate howls of pain among the competition law purists, but so be it – I think it’s okay to plead “special circumstances”.  Of course, this is true of competition enforcement generally: ex post action tends to be very specific to a market/ conduct and does not present global solutions. But it is clear that “doing adtech”, “doing search” and “doing Android” separately is not going to be the answer. The difficulty (for all regulators and agencies worldwide at this point) will be to go beyond isolated piecemeal actions and design a set of measures that have the potential to deal with a sprawling issue. 

Who else will come in the spotlight? For now, ad-funded giants are getting all the attention.  Amazon is given a warning to the extent that it is pivoting toward advertising, but does not appear to be an immediate target. Apple’s trouble with app developers and its rules for in-app purchases do not seem an issue of priority for now in the UK (although they are in Brussels). Microsoft is seen mainly as a Google challenger in search and not as a data business – at least for now. That said, there will be effort to articulate the principles for a “code of conduct” as generally as possible, so they could be argued to be potentially applicable beyond Google and Facebook. And once the DMU is in place, it can be expected to look further.

Either way we will need a big, multidisciplinary footprint combining different skills, and much international cooperation to make efforts meaningful. We got here late, but the UK’s ambitious announcement it plans to engage in a major natural experiment to regulate digital platforms, in the midst of the Brexit upheaval, is sending a strong signal. 

Author’s note: The views expressed in this note are entirely personal and do not reflect those of CRA, other CRA experts or any CRA clients.


[1] See Caffarra, Follow the Money, Concurrences August 2019, at

[2] Google Ad Manager incorporates the former DoubleClick For Publishers, DFP, and its ad exchange function DoubleClick Ad Exchange, each estimated to account for 80-90% of supply at their respective level of the stack.